To determine priority among the collection of fields resulting of an search in the CLI, Splunk uses ASCII sort order. Fields named "A" have a higher priority than fields named "B", and so on. Also, all fields with an uppercase letter have precedence over any fields starting with a lowercase letter, due to ASCII sort order.
this case that you have in CLI "-.Error","Daemon.Error","Daemon.Warning","Kern.Alert","Kern.Critical","Kern.Error","Kern.Warning",
"Local4.Error","Local7.Error","Local7.Warning",OTHER,"_time","_span","_spandays" is ASCII sort order.
but run this search in CLI:
./splunk search "index=idx_lyl earliest=10/01/2014:0:0:0 latest=11/03/2014:23:59:59 criticity!=".Info" AND criticity!=".Debug" AND criticity!="*Notice"
| timechart count by criticity |table "_time", "-.Error", "Daemon.Error", "Daemon.Warning", "Kern.Alert", "Kern.Critical", "Kern.Error", "Kern.Warning", "Local4.Error", "Local7.Error", "Local7.Warning", OTHER| sort + _time" -preview 0 -maxout 0 -output csv > result.csv
or
./splunk search "index=idx_lyl earliest=10/01/2014:0:0:0 latest=11/03/2014:23:59:59 criticity!=".Info" AND criticity!=".Debug" AND criticity!="*Notice"
| timechart count by criticity |fields "_time", "-.Error", "Daemon.Error", "Daemon.Warning", "Kern.Alert", "Kern.Critical", "Kern.Error", "Kern.Warning", "Local4.Error", "Local7.Error", "Local7.Warning", OTHER| sort + _time" -preview 0 -maxout 0 -output csv > result.csv
... View more